Salesforce Security Best Practices -Vishing Warning

Posted: August 14, 2025 | Author: | Filed under: Uncategorized | Tags: , , , , , | Leave a comment

If your IT department calls you asking you to do something you probably would do it without giving it a second thought. That’s why the new wave of cyber criminals are now calling you directly and impersonating your companies IT support staff.

Unlike past phishing emails, that often get blocked by IT’s email security rules, criminals are now using voice calls (aka Vishing) and are extremely convincing. They will act like they are calling from your IT support team. They might send you to websites for you to steal your credentials and MFA tokens or ask you to install an app that seems legitimate.

Recently, cyber criminals have been gaining access to Salesforce orgs around the world by convincing admins to install a “new” version of Data Loader app. The app of course is not legit and once it is installed the criminals have access to your Salesforce data.

A person holding a smartphone in one hand while sitting in front of a laptop on a wooden table.

Don’t Get Conned

Be suspicious if you get an unexpected call from your IT support (or anyone else for that matter–whether your child or the President) asking you to do something. With even just a small bit of audio, criminals can imitate a voice so that call could truly sound exactly like your boss.

If you are a Salesforce Admin you can help spread the word to your users about these types of Cons. You can easily do this using the out-of-the-box no-code In-App Guidance. Just create a prompt to warn users about Vishing and remind users to only log into the designated url. Include an acknowledgment button that the user has to click to close the prompt. Then add your prompt to “Any Page, Any App” and schedule it to show up every day until they acknowledge the message.

Sidenote: If you are new to In-App Guidance it is absolutely cool tool for educating users in the context of Salesforce; watch a video here https://salesforce.vidyard.com/watch/EeyJabzZtNm67Fz6NzTFYM and take this trailhead https://trailhead.salesforce.com/content/learn/modules/user-engagement/promote-feature-adoption-and-discovery to learn more.

Proactive Ways to Protect Your Salesforce Org

While you cannot prevent your teammates and users from falling victims to this or other cons, Admins can take steps now to minimize the damage should a bad actor try to get into your Salesforce org. Here are some things you can do:

  1. Ensure everyone is using MFA. No exceptions. Salesforce requires this but you will need to enforce it for your users and third parties.
  2. Limit login IP ranges to your trusted enterprise and VPN network addresses. Define them at the profile level for added control.
  3. Follow the Principle of Least Privilege. This is an issue I see ALL THE TIME. Entire objects are made public and shared with everyone instead of only giving users what they need to do their job. Connected apps have too many permissions and access to more data than it needs. Far too many users have admin level permissions. Bottom line only give people and systems access to the data and capabilities that they need to do their job. Nothing more.
  4. Run the Health Check. Use the out of the box Salesforce Health Check found under Setup to see if there are any recommended security settings that need improvement.
  5. Use Tools to Monitor for Threats. I know Salesforce shield and other threat detection tools are not cheap but ask yourself if you can afford NOT to have it. The cost of an undetected breach could be several millions of dollars and cause severe reputation damage.
  6. Use the AppExchange – Only install apps directly from the Appexchange as they have all been vetted by Salesforce security. You might have legitimate third-parties that ask you to install their non-Appexchange package but do so with extreme caution and verify the authenticity of the app first.
  7. Use Data Masking. The above best practices all apply to your sandboxes as well, but with Sandboxes you have an additional tool in your toolbelt–Data Mask. Salesforce has an add-on product that you can buy that will automatically obfuscate personally identifiable information (PII) and sales revenue to random or similar words. If your IT budget does not allow for this one could also DIY it through an ETL process to remove sensitive information before loading data in to sandboxes.

I often joke ‘This is why we can’t have nice things.’, but the good news is that with Salesforce we can STILL have a powerful app that adds efficiency while also securing and protecting access to data.

Stay vigilant everyone.

###

The Summer 19 Forecast Looks Hot

Posted: March 18, 2019 | Author: | Filed under: Lightning, Uncategorized | Tags: , , , | Leave a comment

Winter has been especially cold, harsh and long in the Central US where I live. The meteorologists can’t seem to provide forecasts that I like so I decided instead to focus on the Summer forecast of Salesforce new features.

 

I took at look at the Salesforce Lightning roadmap that Salesforce provides and reduced the pages and pages of features down to just the features planned for Summer 2019.

 

While there are several Reports and Knowledge enhancements on the Summer 19 Roadmap. I think the hottest Summer 19 feature will be the Related List Preview showing up to 10 columns and the ability to Filter Related Lists. Just think how useful and efficient that will be to end users to see key information at a glance AND interact with it without having to drill-down to another page.

 

One of my favorite features of Summer 19 will definitely help automate and save your end-user time and mistakes, but sadly will probably be underutilized. I am referring to Macros with Conditional Steps. If you have not already I strongly encourage you to build Macros for your Salesforce end users. With macros, repetitive tasks–such as sending an email and updating a case status–can be reduced from multiple clicks to one. Macros work great today already and the addition of conditional steps will make it an even more powerful tool.

 

I can’t wait for these and the other hot new Summer 19 features to be released to Sandboxes about mid-May and in Production around mid-June. Hopefully summer will be here before we know it.

 

Here are all 18 features listed on the Lightning Roadmap as of March 2019: 

  • Dashboards: Scheduled refresh (without email)
  • Reports: Historical trending in tabular format (create, edit)
  • Reports: Joined reports
  • Reports: Notifications
  • Branding and Theming: Per Lightning app
  • Related Lists: Show up to 10 columns on preview
  • Related Lists: User filters on related lists
  • Console Chrome extension
  • Utility Bar: Right-align buttons
  • Accounts: Account Partners related list
  • Opportunities: Opportunity partners
  • Lightning Knowledge: Detach related files
  • Lightning Knowledge: Inline edit
  • Lightning Knowledge: Knowledge Component Action — Insert URL to Case Publisher
  • Lightning Knowledge: Knowledge Component available for all objects (search only)
  • Lightning Knowledge: Mass actions (delete, submit for translation)
  • Macros: Conditional steps
  • Social Customer Service: Mass approvals and recall

IE, Chrome and Firefox for Salesforce

Posted: June 7, 2013 | Author: | Filed under: Salesforce Tips and Tricks | Tags: , , , , | 1 Comment

Sometimes I wonder if the M in my middle name stands for “Multi-tasking” as I find myself oftentimes doing a million things at once. As evidence, just take a look at my computer while I’m working and you’ll find not one but three browser open every time.

Over the years I have found three browsers helps me stay organized.

  1. I use Internet Explorer for tabs for my Salesforce Production org.
  2. I use Chrome for tabs for my Sandbox org.
  3. I use Firefox for tabs for miscellaneous tasks and orgs.

That third browser let’s me log in as another user for testing purposes while simultaneously logged in as myself in either Chrome or IE to make real-time changes based on the testing results.

Without having to think or scroll up to see the black Sandbox identifier found in the top right, I can easily avoid confusing production and sandbox by knowing if I am in Chrome I am in the sandbox.

And for an added level of confirmation I also downloaded a handy app that puts an “S” favicon on sandbox tabs. Here’s a screenshot of the Sandbox tab, with the “S” favicon next to my standard Production org tab.

Salesforce Sandbox Tab Favicon

Sandbox tab with a favicon next to production tab

Click here to get it yourself.

Finally, if you don’t have two monitors you MUST request another one immediately-having two screens to compare side-by-side will make you extremely more efficient. I use my right monitor for Sandbox and my left for Production.

Bottom line, pick a consistent strategy for managing your Salesforce instances and it will make your job easier.

>>SMT